Midland Independent School District in Texas had a data breach when an administrator's car was "broken into" (it's the correct expression, but the car was not locked so it wasn't as much "breaking and entering" as much as it was "opening and entering"). Information for approximately 14,000 past and present students at Midland ISD was compromised because a laptop computer was stolen (no, the device was not protected with laptop encryption software like AlertBoot).

Usually, the problem is a result of an employee not knowing or understanding a particular organization's computer security and usage policies. However, in this case, it looks like there's less than meets the eye: according to cbs7kosa.com, Midland ISD didn't have such policies in place.

SSNs and DOBs Stolen

The data breach was caused when a laptop computer and an external hard drive were stolen from a school administrator's unlocked car. Approximately 14,000 students' SSNs and dates of birth were breached in this information security incident. Students affected include "all current students from seventh grade through high school seniors, along with graduates dating to the class of 2008" according to nbcdfw.com.

Despite reports all around that encryption software was not used, nbcdfw.com notes that " [Midland school Superintendent Ryder] Warren said the information in the computer was coded and password-protected, but not on the external hard drive."

Of course, password-protection is not really protection. Easy ways to get around it include using a Linux CD to bypass the "protection", using a Windows recovery CD, or even hooking a laptops internal hard drive to a second computer. This is the main reason why data breach laws provide exceptions from legal action when computer encryption software is used but not when "password protection" is used.

However, I've learned over the past five years or so that, if people confuse password-protection with encryption, they're also liable to confuse it the other way around as well. Regardless, seeing how the external hard drive was not protected at all, there is no room for giving the benefit of the doubt on this one.

A simple thing like using file encryption or volume encryption on the external hard drive would have prevented this particular data breach. (Incidentally, this is available for free when you use AlertBoot full disk encryption because, well, copying data off of a computer is one of classic ways that FDE can be "bypassed").

"BYOD" Program in Place

The fact that a proper computer usage policy wasn't in place is astounding when you consider the nature of the information that was being handled by the administrator and the fact that she was authorized to take it home as necessary:

There really was no specific policy in place about employees bringing sensitive data home.

Superintendent Dr. Ryder Warren says various employees work remotely and they do have data on laptops and hard drives. He says it's on a "need to know" basis, depending on their job requirements. [cbs7kosa.com]

According to the same article, the administrator needed that information on her person:

"She handles graduation accountability rates which are based on TEA, cohort data, which is what was on the hard drive. She often conducts home visits of currently coded dropouts to assist them in reenrolling in school, so she is basically always in her car," Warren said.

One may ask, "what's the use of computer security policies if they're rarely followed – people ignore them all the time – and read even less?" The point is that an organization that creates such a policy also produces ways to sustain those policies. For example, if Midland had created a policy where (a) employees are authorized to transport student data and (b) they're required to use encryption when doing so, then (c) the school has to provide some kind of means of doing so, either by providing them with the proper tool or by showing them where they can get it (there are free FDE software available like TrueCrypt).

Why would I freely advertise a free option over our own AlertBoot? Easy. TrueCrypt is pretty good, but it tends to lack the underlying built-in foundation that makes it ideal for organizations that are looking for mass deployment of encryption on multiple computers, such as the ability to push encryption installation and policy updates, remote management, and encryption key backup, to mention a few examples.

Furthermore, laws and regulations generally require documentation (preferably unassailable) that encryption was used in the even that a laptop is used. With TrueCrypt, there is no easy way to prove its installation after the fact, whereas a solution like AlertBoot keeps detailed logs, via the cloud, of a machine's encryption status. In fact, AlertBoot's encryption reports are regularly used by clients the world over as proof of encryption when devices are lost.

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading
provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing
support of the AlertBoot disk encryption managed service.
Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts
University in Medford, Massachusetts, U.S.A.